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Gerard  Allwein  &  Ira  S.  Moskowitz 
Center  for  High  Assurance  Computer  Systems,  Code  5540 
Naval  Research  Laboratory 
Washington,  DC  20375  USA 

Abstract 

We  present  algebraic  operators  useful  in  constructing  models  for  software  engineering  applied  to  re¬ 
liability  and  security.  Double  rail  testing  is  a  mathematical  formalism  for  analyzing  testing  situations 
that  have  both  false  positives  and  false  negatives,  as  well  as  true  positives  and  true  negatives.  Further¬ 
more,  tests  are  qualitatively  modeled  via  channel  theory,  and  their  quantitive  behavior  is  described  as  a 
Shannon  binary  communication  channel.  Tests,  viewed  strictly  quantitatively,  form  a  domain  (domain 
theory)  and  the  domain  order  is  determined  by  the  probability  of  error  for  tests.  The  language  for  tests 
includes  operators  for  convex  sum,  sequential  (Markov)  composition,  parallel  conjunction  and  parallel 
disjunction,  and  an  involution. 

Keywords:  reliability,  software  metrics,  Shannon  channels,  algebra  of  tests. 

1  Introduction 

In  [6],  Shannon’s  work  in  reliability  [5]  was  applied  for  the  first  time  in  applications  for  high  assurance 
systems.  The  current  paper  generalizes  and  extends  [6]  with  an  algebra  that  can  be  used  for  software 
engineering  metrics.  In  some  areas  of  realtime  control  systems,  probability  analysis  must  be  substituted  for 
more  precise  analytical  models.  The  systems  can  easily  become  too  complicated  for  the  direct  analytical 
approach.  Another  area  that  could  be  addressed  using  our  techniques  is  hardware-software  co-design  where 
the  interaction  between  hardware  and  software  is  sometimes  not  well  understood.  The  complexity  issue 
comes  up  again  in  large  systems  where  the  system  is  so  complex  that  a  probabilistic  model  must  be  used 
to  determine  system  behavior.  The  algebra  of  tests  presented  in  the  current  paper  is  intended  for  use  in 
constructing  probabilistic  models  of  systems. 

A  test  is  considered  to  be  a  channel  in  the  sense  of  information  flow,  but  what  kind  of  channel  is  it?  It 
cannot  be  strictly  a  communication  channel  since  the  objects  moving  through  the  channel  are  objects  to  be 
tested,  not  simply  symbols.  The  objects  could  be  elements  which  must  be  managed  for  secure  information 
flow.  In  addition,  a  test  may  also  modify  the  objects.  Hence,  certain  testing  operations  might  be  quite 
expensive  since  one  cannot  test  the  same  object  twice.  To  capture  this  level  of  complexity,  a  more  intricate 
notion  of  channel  is  required.  This  notion  is  supplied  by  Barwise  and  Seligman’s  channel  theory  [1]. 

The  framework  of  channel  theory,  and  the  quantitative  algebra  of  tests  in  this  paper,  can  be  used  in 
performing  risk  analysis.  Various  kinds  of  assurance  can  be  enhanced  by  the  repetition  of  tests.  However, 
what  is  also  important  is  to  measure  how  much  of  an  increase  will  result  from  the  expense  of  repeating  tests. 
Repeating  tests  is  not  a  particularly  sophisticated  notion  and  can  easily  result  in  poorer  performance  than 
if  the  test  were  not  repeated.  The  configuration  of  how  tests  are  combined  matters  significantly,  and  this  is 
formalized  in  the  algebra.  Another  way  to  view  the  algebra  for  a  network  of  tests  is  as  a  formal  method  for 
composition  of  tests  via  a  network  of  subtests,  which  is  the  view  in  this  paper.  The  analysis  and  algebra  in 
this  paper  will  support  formal  tools. 

A  basic  reference  for  the  some  of  the  quantitative  mathematics  in  this  paper  is  a  classic  paper  by  Moore 
and  Shannon  [5].  This  mathematics  is  augmented  by  the  domain  theory  contained  in  [4]. 

1.1  Formalism 

The  goal  of  a  test  is  to  classify  a  collection  of  objects  with  respect  to  some  criteria.  Let  us  presume  there 
is  a  predicate  (in  the  Fraktur  font)  fp(a;)  which,  when  given  an  object,  determines  whether  the  object  has  a 
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particular  property,  ^{x)  is  much  too  ideal  or  perfect  to  be  considered  a  test.  Without  confusion,  let  the 
property  associated  with  ip(x)  be  called  ip.  x  satisfies  ip  is  denoted  x  ^  Cp.  At  this  level  of  discourse,  x  is  a 
variable  and  Cp  is  an  indeterminate,  ip  is  an  element  of  a  Platonic  world  that  is  always  accurate  and  never 
makes  a  mistake.  Most  of  us  live  in  a  non-Platonic  world  and  we  must  evaluate  ‘P(x)  via  a  test,  Ai.  The  test 
A4  might  consist  of  a  fair  amount  of  preparation  using  chemicals,  apparatus,  etc.  Consequently,  the  actual 
predicate  embodied  by  a  test  is  something  other  than  ip.  Let  the  predicate  embodied  by  a  test  be  denoted 
by  (the  Roman  font)  P.  x  satisfying  P  is  denoted  as  x  |=  P. 

One  might  initially  consider  that  to  test  for  ip  might  mean  to  “prove”  of  an  object  x  to  be  tested  that 
X  satisfies  the  conditional  Cp  ^  P,  i.e.,  that  if  ip  is  true  of  x,  then  P  must  be  true  of  x.  However,  if  ip  is 
not  true  of  x,  there  is  something  a  bit  odd  if  it  were  also  the  case  that  P  were  true  of  x.  The  test  is  not 
doing  the  correct  classifying  even  though  the  conditional  ip  — >  P  holds  of  x.  Tests  are  expected  to  classify 
correctly  with  respect  to  ip  and  the  negation  of  ip.  The  term  “double  rail”  comes  from  CMOS  circuits,  and 
refers  to  the  notion  that  both  the  positive  and  negative  of  a  predicate  are  to  be  managed. 

If  M  were  a  test  in  a  programming  language,  every  state  (every  x)  will  force  either  x  ^  P  or  x  ^  P, 
and  P  is  truth  functionally  equivalent  to  ip.  This  kind  of  test  might  be  pictured  via  the  diagram  on  the  left 
(below) 


{a  I  a  h 


{a  I  a  ^  P} 


where  the  p  and  the  p  represent  the  proportion  of  objects  of  a  bin  B  that  the  test  sorts  or  classifies  either 
into  bin  Co  or  into  bin  Ci .  Also,  assuming  classical  probability  p  =  1  —  p.  If  P  were  accurate  with  respect 
to  *P,  then  X  1=  P  iff  X  p:  ‘p. 

As  a  step  towards  a  representation,  consider  that  from  a  Platonic  viewpoint,  B  is  already  classified  into 
two  bins,  say  Bq  and  Pi  where  Pq  =  {a  |  a  ^  *P}  and  Pi  =  {a  |  a  ^  fp}.  The  diagram  we  would  be  tempted 
to  draw  if  P  were  accurate  for  fp  is  the  diagram  on  the  right  (above). 

There  is  a  probability  distribution  for  just  the  (Po,Pi);  let  the  probability  distribution  associated  to 
(Po,Pi)  be  {p,p)  where  p  represents  the  proportion  of  elements  that  pass  the  test.  This  is  not  represented 
in  the  diagram.  Thinking  of  (Pq,  Pi)  as  a  set  variable,  {p,p)  becomes  a  probability  distribution  variable  and 
the  diagram  is  accurate  as  long  as  the  test  P  is  accurate,  i.e.,  it  moves  elements  of  Pq  to  Cq  with  probability 
1  and  elements  of  probability  Pi  to  Ci  with  probability  1. 

Tests  in  the  real  world  are  rarely  as  antiseptic.  False  negatives  and  false  positives  are  a  problem  that 
must  be  handled  when  dealing  with  these  kinds  of  tests.  In  the  case  above,  elements  of  Pq  will  find  their  way 
to  Cl  when  the  test  gives  a  false  positive  and  from  Pi  to  Co  for  a  false  negative.  Probabilities  are  associated 
with  these  false  results.  This  may  be  diagrammed  as: 


Pq - ^ - »  Co 


where  the  curious  labeling  of  m2  for  the  probability  of  a  false  positive  and  m2  for  an  accurate  negative  is  for 
simplifying  the  mathematics  in  the  sequel.  This  diagram  represents  only  the  probabilistic  nature  of  the  test. 
It  does  not  explain  details  about  what  the  test  is  for,  how  the  test  is  performed,  or  allow  us  to  compare  the 
workings  of  two  different  tests  except  for  their  probabilistic  behavior. 

Consider  the  diagram  in  terms  of  P,  Pq,  and  Pi  and  observe  that  P  =  Pq  U  Pi  and  Pq  H  Pi  =  0.  Recall 
Bq  represents  elements  that  truly  do  not  satisfy  and  Pi  represents  elements  that  truly  do  satisfy  Now 
consider  how  the  test  M  sorts  P  into  bins  Ci  and  Cq.  Let  a  G  B,  the  argument  proceeds  by  cases  since, 
from  the  conditions  on  P,  a  G  Pq  or  a  G  Pi  but  a  ^  Pq  H  Pi.  Let  a  |=  and  further  let  a  |=  P,  then  P  is 
accurate  for  a  and  throws  a  into  bin  Ci.  Suppose  a  ^  P  ,  then  P  is  not  accurate  for  a  and  throws  a  into 
bin  Cq.  By  sufficient  “runs”,  a  probability  toi  can  be  assigned  to  P  for  accurately  sifting  elements  of  Pi  in 
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which  case  1  —  mi  =  mi  is  the  probability  P  is  inaccurate  for  sifting  elements  of  -Bi.  A  similar  argument 
holds  for  bin  Bq  and  assigning  m2  for  false  negatives  1  —  m2  =  m2  for  true  negatives. 

A  feature  of  representing  tests  in  the  above  manner  is  that  a  test  labels  the  objects  it  tests.  This  is 
important  in  further  classifying  objects  undergoing  testing.  The  Platonic  device  of  dividing  the  original  bin 
B  into  Bq  and  Bi  is  for  the  care  and  feeding  of  composing  tests. 

The  information  about  the  probabilistic  properties  of  the  test  P  is  represented  with  the  following  row 
stochastic  matrix  (RSM): 


(mi,  m2)  '*= 

where  K  is  the  (Kolmogorov)  probability  of  an  event  associated  with  the  set,  e.g.,  satisfying  ip  is  associated 
with  Bi .  The  set  of  tests  is  in  bijective  correspondence  with  the  set  of  2  x  2  RSMs  .  The  input  probability 
of  the  bins,  represented  with  {p,p),  is  operated  on  by  the  RSM  to  yield  another  probability  distribution: 


777-1 

K(Ci|Bi) 

K(Co|Bi) 

7772  ^ 

K(Ci|Bo) 

K(Go|Bo) 

[P 


p]  o 


mi 

m2 


mi 

m^ 


(pmi  +pm2,  pmi  +pm2) 


with  {p,p)  represented  by  the  2- vector  [p  p].  The  output  vector  of  the  output  represents  the  probabilistic 
behavior  of  test  P  given  its  input. 

The  qualitative  behavior  of  a  test  is  represented  by  the  channel  theoretic  account  in  the  Appendix  where 
the  Gentzen  sequents  are  of  the  form  ip  Ih  P.  An  entire  channel  contains  a  lot  of  information,  however,  the 
rest  of  this  paper  is  concerned  with  quantitative  behavior.  In  the  sequel,  when  there  is  no  confusion,  a  test 
referred  to  as  m  =  (mi,  m2)  really  stands  for  all  that  is  included  in  a  test;  a  different  test  would  be  denoted 
n  =  (ni,n2). 


2  Connecting  Tests 

The  Appendix  shows  how  a  test  is  conceived  as  a  channel  of  channel  theory.  Connecting  tests  via  parallel 
conjunction  and/or  parallel  disjunction  may  require  that  objects  to  be  tested  be  cloned  or  divided,  say,  in 
the  way  a  vial  of  blood  may  be  divided  into  two  vials  with  half  as  much  in  each.  The  mechanisms  of  channel 
theory  do  not  require  this  since  one  could  use  the  identity  relation  in  the  channel  if  the  objects  for  testing 
require  no  cloning. 

The  operations  of  parallel  conjunction,  parallel  disjunction,  and  involution  of  this  section  indicate  functors 
on  the  category  of  test  channels.  In  the  succeeding  section,  the  operations  of  fusion  and  convex  sum  also 
indicate  functors.  Space  restrictions  prevent  us  from  exploring  this  here.  These  operations  (except  for  convex 
sum)  appear  to  be  similar  in  spirit  (but  different  in  details)  from  the  Dialectica  interpretation  of  linear  logic 
[2]. 

One  could  also  add  a  further  operation,  “best  of”  as  in  “best  3  out  of  5.  An  object  passes  the  test  if 
it  passes  the  best  3  out  of  5  repetitions  of  the  test.  These  kinds  of  prescriptions  are  not  always  possible 
given  the  nature  of  a  test  however  when  present,  represent  a  best  case  scenario  [5].  Space  prevents  us  from 
addressing  these  kinds  of  connections  here. 

2.1  Parallel  Conjunction 

Consider  two  tests  where  the  expectation  is  that  an  element  satisfies  the  combined  test  when  and  only  when 
it  satisfies  both  of  the  tests  separately.  The  feel  of  this  test  is  that  an  element  of  an  input  bin  is  being 
tested  simultaneously  by  both  tests.  This  conjunction  can  be  expressed  in  English  by  calling  it  a  parallel 
conjunction. 

What  does  it  mean  to  pass  both  tests?  If  something  starts  as  satisfying  fp,  it  must  satisfy  P  for  both 
tests,  this  is  simple — no  failure.  However,  if  something  does  not  satisfy  fp,  it  is  considered  to  not  satisfy  P 
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if  it  is  recognized  by  as  such  by  at  least  one  of  the  tests.  One  can  picture  parallel  conjunction  with 


where  Bi,Cj  are  as  before  and  Di  refers  the  output  bins  of  a  test  with  output  predicate  Q  on  the  same 
input  and  {ni,n2)  its  quantitative  behavior.  The  test  results  are  “vectorized”.  The  first  test  is  the  first 
entry  in  the  2- vector,  and  the  second  test  is  the  second  entry  in  the  2- vector.  The  line  from  Bi  to  Ci,Di 
has  probability  mi  ■  ni,  this  probability  represents  the  only  correct  way  for  an  element  from  Bi  to  test  as 
Cl,  Di,  it  must  pass  both  tests.  Therefore  the  upper  left  hand  entry  of  m  •  n  should  be  mi  ■  ni. 

What  about  an  element  from  Bq?  As  long  as  it  does  not  pass  both  tests,  it  is  still  considered  a  failure. 
Intuitively,  if  one  took  a  medical  test  and  only  passed  one  test,  would  the  person  be  confident  that  they  did 
not  have  a  condition?  The  failure  of  test  m  ■  n  can  be  seen  by  following  the  paths  of  the  three  dashed  arrows 
(above)  Bq  {Ci,Do),  Bq  (Co,  Di),  and  Bq  — >  (Cq,  Dq).  The  sum  of  the  probabilities  along  these  three 
dashed  paths  are  m2  ■  n2  +  m2  •  n2  +  m2  •  rT2  =  1  —  m2  ■  n2.  Therefore  the  lower  right  hand  entry  oi  m  ■  n 
should  be  1  —  m2  ■  n2-  Collecting  together  the  conditions  leads  to: 

Definition  2.1.1  The  parallel  conjunction  of  two  tests  m  and  n  is  defined  on  the  left  and  represented  on 
the  right  (below): 

m  ■  n  =  {mi  ■  ni,  m2  ■  n2)  ^  ^ 

It  is  tempting  to  think  of  elements  to  be  tested  as  “flowing”  from  left  to  right.  This  is  misleading.  The 
language  only  shows  logical  configuration  of  tests,  it  is  not  a  flow  diagram.  Note  that  m-m  =  {{mif' ,  (7712)^). 


2.2  Parallel  Disjunction 

Consider  two  tests  where  the  expectation  is  that  an  element  satisfies  the  combined  test  just  when  it  satisfies 
either  of  the  tests.  The  feel  of  this  test  is  that  an  element  of  an  input  bin  is  being  tested  simultaneously  by 
both  tests  and  success  with  either  constitutes  success  with  the  test.  This  disjunction  can  be  expressed  in 
English  by  calling  it  a  parallel  disjunction.  One  would  use  this  when  testing  for  two  disparate  properties. 
As  above  we  “vectorize”  the  test  outputs. 

For  an  element  of  Bi  going  to  Cq,  both  tests  must  fail;  this  probability  is  fnj  ■  nj.  Therefore,  the 
probability  of  Bi  going  to  Bi  is  simply  rnj  ■  nj. 

The  probability  of  1  going  to  1,  which  is  (1,1)  is  as  above  and  is  m2  ■  712.  Therefore,  the  probability  of  1 
going  to  0  is  m2  •  nj- 


Definition  2.2.1  The  parallel  disjunction  of  two  tests  m  and  n  is  on  the  right  and  represented  on  the  left 
(below) 


2.3  Involution  ^  y  ^  <^4/ 

There  is  an  involution  of  the  matrices: 


(mi  •  ni. 


m2  ■  772), 


Definition  2.3.1 


~(mi,m2)  (m2, mi). 


Clearly,  m  =  m.  This  corresponds  to  swapping  satisfying  the  test  with  not  satisfying  the  test. 
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Lemma  2.3.2 


TO2  ^  n2  <  ni  <  mi  implies  mi  <  ni  <  n2  <  m2- 


Theorem  2.3.3 


m  II  n  =  m  •  ^  n) 


where  ~  hinds  more  tightly  than  •  in  algebraic  expressions. 


3  Partial  Order  on  Tests 

A  partial  order  on  tests  can  be  defined  from  the  notion  of  probability  of  error. 


3.1  Probability  of  Error 

The  probability  that  a  test  is  wrong  depends  on  the  initial  probabilities  (associated  events  are  disjoint)  Bq 
and  Bi-  A  test  is  wrong  if  it  misclassifies  an  input.  So  the  probability  that  the  test  is  wrong  is: 

K{test  wrong)  =  K{Co\Bi)K{Bi)  +  K{Ci\Bo)K{Bo). 

The  notation  is  simplified  for  the  test  input  distribution  by  setting  p  =  K(i3i)  and  p  =  1  —  p  =  K(i3o).  The 
random  variable  describing  the  test  inputs  is  represented  as  {p,p)- 


Definition  3.1.1  Let  {p,p)  be  an  input  distribution  for  a  test  m,  then  the  probability  of  error  of  the 
test  is 

em{p)  {p  ■  fni)  +  {p  •  m2)- 

Note  that  if  rhi  =  m2  =  x,  that  is  the  false  positive  and  false  negative  probabilities  are  equal,  then 

era{p)  =  X. 

Let  us  isolate  the  reasoning  for  thinking  of  a  test  as  being  a  communication  channel.  Each  element  of 
the  bin  B  can  carry  a  lot  of  information.  However,  this  information  is  sorted  Platonically  by  into  two 
bins.  In  effect,  there  is  only  one  bit  of  information  one  can  extract  from  fp  for  each  element  of  H;  either 
X  \=  ^  or  X  ^  iip.  To  extract  other  information,  we  need  another  predicate.  Here,  the  term  “bit”  is  being 
used  both  colloquially  and  in  the  Shannon  interpretation.  The  job  of  the  test  A1  is  to  transmit  information 
about  B.  If  P  were  accurate  for  fp,  then  P  is  transmitting  precisely  the  information  about  the  elements  of 
B  as  reported  by  i.e.,  a;  |=  ip  or  a:  ^  ip.  To  the  extent  P  fails  to  be  accurate  about  ip,  P  fails  to  transmit 
accurately  information  about  the  elements  of  B.  The  source  of  the  transmission  is  the  bin  B,  the  sink  is  us 
or  whatever  is  the  consumer  of  what  P  can  say  about  elements  of  B. 

For  the  rest  of  the  paper,  we  restrict  ourselves  to  the  subset  N  of  RSMs  that  have  non-negative  determi¬ 
nant.  This  set  N  has  been  well-studied  in  [4].  Geometrically  N  is  the  lower  right  hand  triangle  of  the  unit 
square. 

The  RSM  (1,  0)  is  the  identity  matrix.  The  set  D  of  RSMs  of  the  form  =  {a,  a),  a  e  [0, 1]  are  in 
obvious  bijective  correspondence  with  the  main  diagonal  of  the  unit  square. 


Negative  Tests 
m2  >  mi 


Positive  Tests 
m2  <  mi 


There  is  a  natural  order  on  tests  determined  from  the  probability  of  error: 


Definition  3.1.2 


m  C  n  iff  Vp(em(p)  <  e„(p)). 
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This  definition  yields  an  interval  order  from  domain  theory  (see  [3]).  The  only  part  of  domain  needed  in  this 
paper  is  that  the  interval  order  is  a  partial  order. 

That  the  probability  of  error  defines  the  interval  order  was  observed  by  Keye  Martin  and  Catuscia 
Palamidessi  (private  communication) .  Interpretations  of  this  order  by  viewing  m  and  n  in  their  matrix  form 
says  that  m  Q  n  means  m  is  closer  to  the  identity  matrix  and  n  is  closer  to  a  matrix  with  equal  rows. 

Theorem  3.1.3  (Martin  &  Palamidessi) 


m  C  n  iff  1712  <  n2  and  ni  <  mi. 

The  import  of  this  theorem  says  that  one  can  compare  two  tests  m  and  n  with  respect  the  errors  they 
generate  on  all  input  distributions  by  simply  comparing  their  respective  values,  i.e.,  mi  with  ni  and  m2  with 
n2.  This  relation  can  be  depicted  as 

n2  rii 


0  m2  m\  1 

It  makes  sense  here  to  invert  the  order  so  that  the  error  decreases  as  one  moves  further  away  from  the  main 
diagonal  towards  (1,0). 


Definition  3.1.4 


m  En  iff  112  <  m2  and  mi  <  ni. 


This  partial  order  is  the  reverse  of  the  domain  order  from  [4],  although  itself  is  not  a  domain  order. 


3.2  Networks 

Each  network  is  assumed  to  be  made  of  identical  and  independent  copies  of  a  single  test  connected  in  certain 
ways.  The  tests  are  all  done  simultaneously,  much  like  all  coils  [5]  are  energized  simultaneously.  The  network 
then  shows  how  to  combine  the  test  results.  Consider  the  network  from  [5]  now  interpreted  as  a  network  of 
test  copies  of  the  test  m  connected  as  in  the  diagram  on  the  left: 


This  network  is  represented  as  the  test  n,  where  n  =  m  ■  m  ||  m  ■  m.  Direct  calculations  show  that 
n  =  {2{mif  —  (mi)^,2(m2)^  —  {m2y).  Is  n  better  than  m?  Using  the  partial  order,  this  becomes,  does 
m  En  hold?  Consider  the  function  h{x)  =  2x^  —  which  is  plotted  above  (right  diagram). 

We  wish  to  solve  2x^  —  x^  =  x,  which  is  equivalent  to  solving  — a;^  +  2a:^  —  a;  =  0  (this  has  four  roots,  we 
only  care  about  the  ones  between  0  and  1).  Since  — a;^  +  2a;^  —  x  =  a;(l  —  a:)(a:^  +  a;  —  1),  we  see  that  the 
solutions  are  0,1,  and  the  roots  of  a:^  +  a:  —  1.  The  root  of  a;^  +  a;  —  1  in  the  unit  interval  is  ~  .618 

(note  that  is  the  multiplicative  inverse  of  the  golden  mean^  in  and  also  the  golden  mean  less  1. 

If  mi  >  and  m2  <  m  Era.  Thus,  it  is  possible  to  improve  a  test  by  composition. 

The  2-dimensional  structure  for  holding  mi  and  m2  shows  how  to  compose  tests  in  order  to  improve  their 
accuracy.  Of  course,  one  may  combine  tests  that  are  not  identical. 

^We  thank  Keye  Martin  for  seeing  Shannon’  s  use  of  .618  in  [5]  and  “knowing”  that  the  inverse  of  the  golden  mean  had  to 
be  a  root. 
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All  parallel  compositions  of  tests  have  the  same  general  form.  That  is,  they  look  like  an  S  and  cross  the 
diagonal  exactly  once  (see  [5])  in  the  open  interval  (0, 1). 

In  terms  of  the  order,  the  diagram  on  the  left  (below)  shows  the  region  upon  which  h  is  guaranteed  to 
iterate  channels  towards  (0, 1). 


(0,0)  (.618,0)  (1,0)  (0,0)  (.618,  .618)  (1,1) 

The  region  above  ( partial  order  on  tests  does  form  a  domain  and  is  pictured  with  the 
diagram  on  the  right  where  the  up  direction  represents  an  increase  in  the  partial  order.  Every  matrix  above 
(_i^,  ^1^^  jg  jn  the  rectangle  bordered  by  (^i^,  (^^^,0),  (1,  and  (1,0). 

h  is  strictly  increasing  in  the  domain  where  T  =  ( ~^~^^,  and  has  the  inverse  order  to  the  usual 

interval  domain  order.  Let  the  extension  of  h  to  pairs  (determining  domain  elements)  be  denoted  h.  In  this 
example,  h{m)  =  (2(mi)^  —  (toi)^,  (2(7712)^  —  (7112)^).  h  is  monotone  and  iteratively  increasing  above  T  and 
below  (1,0),  i.e.,  h}{m)  in  the  pointwise  order.  Hence  if  mi  >  7ri(T)  and  m2  <  7r2(T)  (tt^  are 

projections),  h{mi)  >  mi  and  h{m2)  <  m2- 

This  says  that  if  m2  is  below  roughly  .61  and  mi  is  above  roughly  .61,  the  network  of  tests  (m-m)  ||  (m-m) 
is  a  better  test  than  the  test  m  by  itself.  Hence,  one  can  make  good  tests  out  of  mediocre  tests. 

From  [5],  the  formula  h  is  arrived  at  via  the  prescription 

n 

/i(a;)  =  ^A,a;Xl-x)”-* 

i=0 

where  n  is  the  number  of  contacts  (our  tests)  in  a  circuit  and  is  the  number  of  ways  a  circuit’s  input  can 
be  connect  with  its  output  by  turning  on  i  contacts  and  turning  off  n  —  t.  Using  the  algebra  developed  in 
the  preceding  section, 

h{m)  =  {m-  m)  ||  (m  •  m)  =  (1  —  (1  —  m\Y ,  1  —  (1  —  m\Y). 

Computing  these  formulas  via  the  algebra  is  much  easier  than  attempting  to  figure  out  the  number  of  paths 
through  the  graphical  circuit  of  tests. 

3.3  Trajectories 

The  functions  defined  by  iteration  or  best-of  prescriptions  define  a  trajectory  for  a  test  in  the  partial  order. 
Suppose  there  is  a  test  with  characteristics  m  =  (mi,  m2)  =  (.7,  .55)  and  the  function  h  =  2x^  —  from 
the  previous  section  is  applied  repeatedly  to  this  test.  There  will  be  a  sequence  of  points  determined  by  the 
iteration,  i.e.,  h{m) ,  m (m) ,  m (m) ,  etc.  These  points  fall  along  a  parametric  curve  defined  by  h. 

Consider  a  m  =  {mi, m2)  and  the  curve  defined  by  h{x)  =  2x^  —  As  long  as  mi  >  ,  h  will 

move,  via  its  iterates,  mi  along  its  curve.  Since  ft,  is  a  continuous  and  strictly  increasing  curve  in  the  interval 
[0, 1],  it  has  a  unique  inverse.  Also,  the  interval  [ft“^(mi),  mi]  is  in  the  domain  of  ft  where  ft  is  above  the  line 
y  =  a;  for  mi  >  .  Using  the  scheme  from  [7]  [8],  successive  arcs  from  the  intervals  [ft*(mi),  ft*''"^(mi)] 

can  be  computed  from  the  arc  generated  from  [ft“^(mi), mi)]  (see  diagram  on  the  left  below). 

The  parametric  form  of  the  trajectory  generated  from  ft  is  then 

ft*(mi)  =  (t(mi  —  h~^)  +  h~^{t),h{t)). 


7 


This  represents  the  continuous  iteration  h*  starting  from  the  fixed  position  nii  and  t  is  in  the  range  [0,  +oo). 
The  limit  of  hf'ijni)  as  t  approaches  +oo  is  1.  Using  W'(m2)  for  x  <  yields  a  similar  analysis  and 

the  limit  of  h*{m2)  is  0.  Combining  the  two  trajectories  for  m  =  {mi,  m2)  =  (-7,  .55)  yield  a  trajectory  (see 
diagram  on  the  right  below)  in  the  domain  whose  bottom  point  is  T  =  (.7,  .55)  and  where  0  <  t  <  3  (t  is  a 
real  number): 


h(x) 


1, 


This  allows  one  to  take  derivatives  in  the  domain  where  the  partial  derivative  in  the  increasing  mi  direction 
and  the  partial  derivative  in  the  decreasing  m2  direction  are  taken  using  /i*  with  respect  to  t.  Thus,  the 
speed  at  which  iteration  of  a  function  improves  the  overall  test  can  be  ascertained  precisely. 

3.4  Convex  Sum 

The  convex  sum  of  two  tests  is  used  to  combine  a  proportion  of  one  test’s  output  with  a  proportion  of 
another’s.  The  usual  convex  sum  is  m  0p  n  “*=  (pmi  +pni,pm2  +pn2)-  Shannon  states  that  one  method  of 
deriving  the  formula  for  a  network  is  to  pick  a  contact  and  replace  it  twice,  once  with  a  short  circuit  and 
the  resulting  network  having  equation  f{p),  and  once  with  an  open  circuit  having  equation  g{p)  where  p  is 
either  mi  or  m2  when  the  mesh  is  constructed  with  contacts  of  type  m.  Hence 


m 

m 


m 

m 


becomes 


m 

m 


and 


m  )C  )C 

m  )C  )C 


m 

m 


Then  f{p)  =  p  ■  p  -p  ■  p,  g{p)  =  p  ■  p  ■  p  ■  p,  and  h{p)  =  pf{p)  +pg{p).  where  /  is  the  formula  for  the  network 
of  the  middle  diagram  above  and  g  is  the  formula  for  the  right  hand  diagram.  This  is  very  close  to  the 
convex  sum  except  that  the  convex  sum  requires  both  mi  and  m2.  Since  the  equation  must  be  computed 
twice, 

h{m)  =  (mi/(mi)  +  mTg(mi),m2/(m2)  +  m^g(m2)). 

A  new  operator  similar  to  a  convex  sum  will  capture  this: 

n@n'  =  {mini  +  min),  m2n2  +  m^n)), 

m 

Diagrammatically,  the  test  becomes  the  connective  ©  that  connects  the  two  diagrams  on  the  right 

above. 

The  following  theorem  is  trivially  true: 


Theorem  3.4.1 


m  0  m  =  m. 


3.5  Serial  Conjunction  (Fusion)  or  Sequencing  Tests 

Consider  two  tests  where  the  bins  for  the  first  test’s  output  bins  (recall  that  a  test  labels  the  elements  by 
selecting  which  bin  they  fall  into)  become  the  second  test’s  input  bins.  This  serial  conjunction  or  fusion 
gives  a  notion  of  sequencing  tests. 

Definition  3.5.1  The  serial  conjunction  or  fusion  of  two  tests  mon  is  simply  matrix  multiplication  of  their 
respective  behaviors  m  and  n: 

m  o  n  =  (mi,  m2)  o  (m,  712)  “*=  (mi(ni  —  712)  +  n2,  m2(ni  —  712)  +  712). 

Since  fusion  is  matrix  multiplication  it  is  not,  in  general,  commutative. 

Referring  to  the  image  below,  the  thick  arrows  represents  the  two  paths  from  Bi  to  a  Di.  The  probability 
that  the  first  path  is  taken  is  mi  •  ni,  and  the  probability  that  the  second  path  is  taken  is  mT  •  nT  = 
mi{ni  —  712)  +  772.  Therefore,  m2  •  nj  +  Wfj  •  nj  =  i  —  (7712(771  —  772)  +  772)  is  the  probability  K{Di\Bi). 
Similarly,  the  dashed  arrows  below  show  that  path  of  a  Bq  correctly  going  through  the  fusion  of  tests  and 
coming  out  a  Dy,  this  has  probability  m2  •  nj  +  mj  •  772  =  1  —  (m2(77i  —  772)  +  772),  which  is  K(I?o|Ro)- 

mi  ni 

Bi - ^  Cl  - ^  Cl 


Bq - - >  Co - - - >  Dq 

7712  712 


More  information  can  be  extracted  from  fusion  with  respect  to  tests.  Let  m  =  (mi,  m2).  There  is  a 
unique  line  through  m  that  connects  (1, 0)  to  the  diagonal.  To  derive  this  equation,  note  that  the  slope  must 
be  negative  and  is  rise  over  run,  hence  the  slope  must  be  — m2/(l  —  mi).  This  gives  us 


but  this  must  be  displaced  a  bit.  Namely,  when  y  is  0,  x  must  be  1,  so 


Solving  for  X  =  y  gives  the  intersection  <  0^,  0^  >•  Writing  out  the  definition  of  m  =<  mi,  m2  >  and 
noting  that  det(mi,m2)  =  mi  —  m2,  gives  us 

m  =  (mi,  m2)  =  (1  -  =  (mi  =  (1  -  t)0m  +  t,m2  =  (1  -  t)0m)- 

Hence,  mi  =  m2  +t,  so  t  =  mi  —  m2  =  det(mi,  m2).  Since  the  determinant  of  m  is  the  length  of  the  interval 
[m2,  mi],  we  let  jmj  mean  det(m).  So  the  determinant  gives  us  the  parameter  t.  Plugging  in  jmj  for  t  yields 
Om  =  helps  a  bit  to  see  this  graphically: 


<1,  o> 


where  t  is  the  distance  between  (Om,  Om)  and  m  normalized  so  that  the  distance  from 
(Om,  Om)  to  (1,  0)  is  1.  Hence  mi  =  0^  +  (1  —  0m)t  =  Om  +  t  —  tOm  =  (1  —  t)f>m  + 1,  as  was  computed  above. 
Let  m  be  a  RSM,  and  let 

71 

m”  777  o  o  777  . 
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In  more  generality,  given  any  sequence  of  RSMs  mj,j  =  1, ...  ,n  we  have  the  product  YYj-i  Since  m" 
and  YYj=i  well-defined  by  standard  matrix  multiplication  we  may  discuss  the  limit  lim„^oo  m”  and 

for  an  infinite  sequence  the  limit  lim„^oo  11^=1  • 

Theorem  3.5.2  The  fuse  of  a  test  with  itself  always  increases  the  error 

This  is  an  example  of  how  knowing  the  domain  order  can  easily  determine  qualitative  characteristics  of 
operations  performed  on  tests. 

Theorem  3.5.3  If  \m\  <  1  then  lim„^oo  w”  =  (0^,  ^m)-  If  |w|  =  1  then  lim„^oo  w"  =  m. 

The  proof  is  a  routine  induction.  Note  that  if  \m\  =  —1,  then  m  =  (0,  1)  and  lim„^oo  m"  does  not  exist 
because  the  product  m”  oscillates  between  the  identity  matrix  and  (0,  1). 

Corollary  3.5.4  Any  test  m  fuses  a  distribution  (x,x)  to  (0^,  1  —  0^)  in  the  limit,  i.e., 

{p,p)  O  (  lim  TO*)  =  (Om,  1  -  Om). 


4  Conclusion 

This  paper  is  the  result  of  viewing  a  test  as  a  channel  of  channel  theory  and  then  applying  some  mathematics 
to  extract  the  quantitative  elements  of  that  view.  The  use  of  domain  theory  applies  more  structure  to 
Shannon’s  insights  by  using  the  probability  of  error  to  derive  the  interval  domain  on  [0,1].  The  algebraic 
operations  on  the  domain  are  reminiscent  of  constructs  in  linear  logic,  however,  the  binary  relational  model 
of  the  Dialectica  interpretation  is  inadequate  for  dealing  with  tests  and  the  interpretation  is  unlikely  to  yield 
a  closed  category. 

The  notion  that  simply  replicating  a  test  does  not  inherently  lead  to  a  better  test  is  at  first  sight  counter- 
intutive.  However,  once  one  attempts  to  answer  the  question  of  the  precise  relationship  between  the  two 
instances  of  the  test,  the  rest  of  the  story  becomes  formalized  in  terms  of  the  algebraic  operations.  These 
algebraic  operations  are  useful  in  construction  models  for  testing  software  which  operates  in  a  probabilistic 
environment  such  as  some  types  of  realtime  control  systems. 

A  language  for  tests  would  include  input  predicates  and  output  predicates,  and  it  would  also  include  a 
graphical  language  for  connecting  tests.  The  graphical  language  would  include  “connectives”  for  all  of  the 
algebraic  operations  dealt  with  in  this  paper  as  well  as  the  “best  of”  operations. 
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